Professional Documents
Culture Documents
Abstract • elicitation
• analysis
We present a requirements engineering tool and associated
• specification
methodology that converts natural language and graphical
• validation/verification
requirements to models expressed in a process algebra
• management
formalism. Natural language requirements are automat-
ically converted into the concrete syntax of the process Each one of these activities has very distinct social and
algebra using reconfigurable parsing and transformations. technological aspects [3]. Analysis and elicitation demand
Graphical requirements in the form of finite state dia- a great deal of customer contact, domain knowledge,
grams are changed into textual form before parsing and experience and creativity [4], making them more difficult to
generation of the formal models. Analysis of the formal systematise than the subsequent design or implementation
models by a requirements engineer can lead to iterative activities. On the other hand, requirements management,
refinement of the natural language requirements and the specification and verification can certainly benefit from the
tool configuration. The motivation for this work comes use of tools and well defined methodologies.
from the possible reduction in reworking when formal Our work tries to address the technological aspect
methods are used early in the development life cycle. of requirements engineering by creating a framework to
Our framework allows the coexistence of an user-friendly assist the analysis and verification of requirements by the
document that is suitable for non-technical users and a developer. In this paper, we outline an approach that makes
formal model suitable for verification and reasoning. use of Formal Methods1, natural language processing and
graphical notation. We also describe a software tool cur-
1. Introduction rently in development that is based on this approach, and
conclude with an illustrative example.
Commercial software projects have always faced the
difficult goal of releasing products of quality on time and 2. Formal Methods and Natural Language
within budget. However, an increasingly competitive mar-
ket puts projects under more pressure by demanding higher Restricted forms of natural language are widely used as
quality, shorter turnaround cycles and cheaper software. a notation for software requirements specifications. Natural
The number of errors found during development have a language is convenient because it allows non-technical
strong influence on the software metrics mentioned above. users to understand the product requirements. On the other
The sooner a problem is identified and fixed, the less it hand, the lack of precise semantics increases the possibility
costs the project [1]. When an error that was introduced of errors being introduced due to interpretation mistakes
in requirements engineering is found during testing, en- and inherent ambiguity. Under or over specification are
gineers must fix the incorrect requirements, check all of also common problems when using natural language.
the ramifications through design and implementation and Formal methods have been advocated as one way to de-
finally retest the product. fine requirements with mathematical precision and rigour
In the light of the above discussion, requirements [5]. They provide the means to build system models by
engineering is critical to the success of any project. It specifying their structure and behaviour. When used in
certainly pays to verify requirements as thoroughly as conjunction with tools support, automated verification of
possible before they are used for design or testing purposes. properties for complex models is also possible.
However this is not easily achieved. 1 In this paper, the term “formal” means “having precise semantics with
Requirements engineering consists of the following mathematical basis”, rather than the more general meaning of “being
tasks [2]: organised in a formal way”.
3.1
AWRE’04 9th Australian Workshop on Requirements Engineering
The usefulness of formal methods relies on models without the need for specifying all of them explicitly. Parse
being faithful representations of the essential aspects of the trees are stored in the tuple space. A group of related tuples
informal system. Determining this is something that cannot constitute a T-model.
be done entirely in the formal framework, and requires Using Circe’s browser-based interface, an user can
comparison of the formal representation with the original request the generation of different concrete views of the
requirements. This inherently precludes the existence of data stored in the tuple space. Circe uses internal tools
completely automated frameworks, since some degree of called modellers to manipulate existing and build new T-
human analysis is always necessary. models containing the information necessary for a certain
Many requirements specifications are built by decom- view. A projector is used to select data from one or more
posing a system into smaller components, whose behaviour T-models and create an appropriate abstract model for the
can be more easily captured. It is then necessary to define requested view. Finally, a translator is invoked to produce
the interaction between those components, an aspect that is a concrete syntax representation of the abstract model. The
captured in structural requirements. The internal dynamics open architecture is a major virtue of Circe, as modellers,
of components is specified by behavioural requirements. projectors and translators are not restricted in terms of what
This modelling approach is supported by features present type of data they can produce or how they operate. This
in many formal methods. flexibility is also possible due to the use of an unified
Although formal methods have been applied success- storage paradigm - the tuple space - making exchange of
fully in industry and research projects, they are still not information between the tools quite easy.
widely used today. Being based on mathematical frame-
works and notations, they are not as intuitive to the general 3. Formal Methods and Graphical Notations
audience as natural language. Graphical notations are one possible alternative to the
One proposed solution to this is the translation of re- use of natural language to specify requirements. They are
quirements written in natural language to a formal notation. a widespread and well accepted technique in design and
Flake et al. [6] [7] [8] proposed the use of a subset of implementation, and have also been used to some extent in
English to specify temporal properties. Requirements are requirements engineering [12]. Some graphical notations
mechanically converted to temporal logic formulae. The provide elements to describe structural and behavioural
main issue with this type of approach is that it is quite information, supporting the modular way of specifying
restrictive in terms of the subset of the language that systems as discussed in the previous section.
can be used in properties, making the requirements sound UML is a framework composed of graphical and tex-
somewhat artificial. tual notations that allow the specification of structure
The conversion of natural language to formal notations and behaviour. However, the specification of the UML
raises the issue of synchronisation between the two forms. semantics relies largely on natural language description
Hünle et al. [9] introduced a tool that allows simultaneous and only uses mathematical notation to a limited extent.
manipulation of requirements in multiple concrete nota- Some attention has been given by the research community
tions. The tool stores requirements in an internal abstract to express a more formalised semantics for UML. Liu et
model that is presented to the user via a graphical interface al. [13] defined a formal1 semantics for use-case and class
in both English and UML’s Object Constraint Language diagrams using a formal language, so that they can be
[10]. The user can modify any of these two concrete applied to the specification of requirements. Shen and Liu
representations, and the tool is responsible for propagating [14] proposed the use of use-case diagrams with formal
the changes to the model and back to the user interface. constraints written in a text-based formal language. As with
One problem noted by the authors was that the generated all formal methods, these approaches still demand expertise
English text followed the structure of the internal abstract when it comes to writing or reading the requirements.
tree, which could result in non-intuitive sentences. The tool A similar situation is described by Miller et al. in [15].
also suffered from being too restrictive in terms of the A flight guidance system requirements specification was
English input grammar. written using a graphical requirements language called
Ambriola and Gervasi [11] developed a system that RSML (a notation influenced by Harel’s Statecharts [16]).
addresses the lack of parsing flexibility found in other The requirements were converted mechanically to temporal
approaches. Circe is an environment composed of a parser logic properties that were then verified using a model
(Cico), a storage mechanism based on general purpose checker. Again, the use of a formal method required experi-
tuple-based data structures and a number of internal pro- enced people to write and maintain the formal requirements
grams to manipulate data. Requirements are parsed by Cico manually.
using a technique called fuzzy matching, which makes it We believe that a combination of natural language,
possible to match certain variations of grammar patterns graphical notations, and formal methods is necessary to
3.2
AWRE’04 9th Australian Workshop on Requirements Engineering
3.3
AWRE’04 9th Australian Workshop on Requirements Engineering
Initial Customer
Requirements
Initial
Customer
Requirements
B A C
Requirements
Parser Natural modeller
Modelling Configuration Language Specification
Requirements
Borg
Natural
Language Process Algebra
Requirements (Concrete Syntax)
Generated
Fig. 2. Requirements Modelling Model
3.4
AWRE’04 9th Australian Workshop on Requirements Engineering
3.5
AWRE’04 9th Australian Workshop on Requirements Engineering
OPEN command
struction of system models. However, his approach seems
to require considerable human input in the construction of
SHUT OPEN
the behavioural trees.
The final process algebra model for our system can be
CLOSE command
quite easily represented in graphical format using transition
Fig. 5. Graphical requirement for the Door Module diagrams. Figure 6 shows the behaviour of the lift system.
This specification of the lift system presents a problem
since it allows the lift to move while the door is open.
Requirement 7.2: The DM state is initially SHUT. Additional requirements need to be created to prevent this
Requirement 7.3: The LM state is initially IDLE. condition from occurring. The appropriate natural language
requirements are:
These requirements do not correspond to any Circal
processes by themselves, but serve to introduce the SHUT Requirement 7.6: If the LM state is equal to MOVING
and IDLE states to the modeller and relate them to the the LS shall not allow the OPEN command.
DM and LM. Upon occurrence of events, DM and LM Requirement 7.7: If the DM state is equal to OPEN the
will respond differently. The door module can be specified LS shall not allow the START command.
in the following way: Requirements 7.6 and 7.7 add constraints to the lift
Requirement 7.4: When the DM state is equal to SHUT, system by relating states and transitions from both lift and
upon receipt of the OPEN command, the LS shall set the door modules. It is possible to represent such constraints in
DM state to OPEN. process algebra by using processes [18]. Borg identifies the
The event that correspond to the door opening is identi- parse trees generated by these requirements as constraints,
fied by the term “OPEN command”, and needs to be added and generates the appropriate processes for them. The re-
to the glossary. This process of refining Cico’s configura- vised behaviour of the lift system is obtained by composing
tion according to the specification format corresponds to together the process representations of the requirements
step B in Figure 3. A similar requirement is needed for the and the process representations of the constraints. This
CLOSE command: time, the lift system is free of the moving/open problem
Requirement 7.5: When the DM state is equal to identified earlier, as can be seen in Figure 7.
OPEN, upon receipt of the CLOSE command, the LS shall An important point to make about the analysis step of
set the DM state to SHUT. the modelling process is that it really consists of evaluating
the formal model from a “real world” perspective to judge
In larger projects it can be seen that specifying such
its usefulness. In this example, it corresponds to reaching
types of requirements can be quite repetitive and suscepti-
the conclusion that “lift moving” and “door open” were
ble to clerical mistakes. An alternative way to define these
not desirable at the same time. It reinforces the need for
is simply to represent them as a graphical requirement, as
human interaction during requirements engineering, even
shown in Figure 5.
when some of the steps are automated.
The LM can be defined by a similar graphical construct,
using the IDLE and MOVING states and the MOVE 8. Conclusion
and STOP commands. Borg translates the behavioural
requirements for the DM and LM to equivalent constructs We introduced Borg, a framework for the assisted gen-
in process algebra: processes. A process represents the eration of formal Circal models based on natural language
behaviour of a particular component in a system, and can and graphical requirements. The motivation for this work
be combined with other processes using the composition is:
operator.
START command
The requirements presented so far are sufficient to SHUT * IDLE SHUT * MOVING
specify the model of the system. Borg generates a Circal STOP command
resultant behaviour of the lift system from the model. In command command command command
3.6
AWRE’04 9th Australian Workshop on Requirements Engineering
START command
SHUT * IDLE SHUT * MOVING translated from the model could assist in the verification
STOP command
of correctness of the model.
References
OPEN CLOSE
command command
[1] B. W. Boehm, Software Engineering Economics. Prentice Hall,
1981.
[2] M. Dorfman, “Requirements engineering,” in Software Require-
OPEN * IDLE ments Engineering, 2nd ed. IEEE, 1997, pp. 7–22.
[3] J. A. Goguen and C. Linde, “Techniques for requirements elicita-
tion,” in Software Requirements Engineering, 2nd ed. IEEE, 1997,
Fig. 7. The revised lift system process pp. 111–122.
[4] P. Checkland and J. Scholes, Soft Systems Methodology in Action.
John Wiley and Sons Ltd., 1990.
[5] D. A. Peled, Software Reliability Methods. New York: Springer,
• Maintain intuitive and simple software requirements 2001.
documentation that is accessible to non-technical [6] S. Flake, W. Müller, and J. Ruf, “Structured English for model
parties involved in a software project. checking specification,” in Methoden und Beschreibungssprachen
zur Modellierung und Verifikation von Schaltungen und Systemen
• Create a simplified and more automated process 2.8.2. Berlin: VDE Verlag, February 2000.
for generating formal models from a set of natural [7] S. Flake, W. Müller, and J. Ruf, “Mapping of structured English
language requirements, without removing the human sentences to CCTL formulae,” C-LAB, Tech. Rep. 04/2000, Febru-
ary 2000.
cognition aspect from the activities involved in re- [8] S. Flake, W. Müller, and J. Ruf, “An advanced visual capture
quirements engineering. for model checking specifications,” C-LAB, Tech. Rep. 05/2000,
• Facilitate the use of natural language and transition- February 2000.
[9] R. Hähnle, K. Johannisson, and A. Ranta, “An authoring tool for
system based requirements in requirements engineer- informal and formal requirements specifications,” in ETAPS/FASE-
ing activities, still taking advantage of formal meth- 2002: Fundamental Approaches to Software Engineering, ser.
ods for modelling and reasoning. Springer LNCS, R. D. Kutsche and H. Weber, Eds., 2002, vol. 2306,
pp. 233–248.
To build Borg, we reused the ideas behind Circe’s [10] OMG, OMG Unified Modeling Language Specification. Object
architecture. We used Cico as the natural language parser Management Group, September 2001, version 1.4. [Online].
Available: www.omg.org
front end for textual requirements, and developed a series [11] V. Ambriola and V. Gervasi, “The Circe approach to the systematic
of tools that can identify different types of requirements analysis of NL requirements,” Università di Pisa, Tech. Rep. TR-
written in natural language and convert them to equivalent 03-05, March 2003.
[12] T. DeMarco, Structured Analysis and System Specification. New
definitions using process algebra. The output of the tool York: Yourdon, 1978.
can be directly used by the Nova Circal implementation [13] Z. Liu, H. Jifeng, X. Li, and Y. Chen, “A relational model for formal
to manipulate and verify the formal models. Borg also object-oriented requirements analysis in UML,” in Formal Methods
and Software Engineering, ser. Lecture Notes in Computer Science,
includes a parser for the Graphviz Dot language, which J. S. Dong and J. Woodlock, Eds., vol. 2885. Springer, November
allows graphical and natural language requirements to be 2003, pp. 641–664.
mixed in software requirements specifications. [14] W. Shen and S. Liu, “Formalization, testing and execution of a use
case diagram,” in Formal Methods and Software Engineering, ser.
Although the current tool implementation supports only Lecture Notes in Computer Science, J. S. Dong and J. Woodlock,
requirements that represent transition based systems, its Eds., vol. 2885. Singapore: Springer, November 2003, pp. 68–85.
architecture does not preclude the implementation of dif- [15] S. P. Miller, A. C. Tribble, and M. P. E. Heimdahl, “Proving
the shalls,” in FME 2003: Formal Methods, ser. Lecture Notes in
ferent modellers, projectors and translators to support other Computer Science, K. Araki, S. Gnesi, and D. Mandrioli, Eds., vol.
formal methods. 2805. Pisa, Italy: Springer, September 2003, pp. 75–93.
From a feasibility point of view, the tool presented here [16] D. Harel, “Statecharts: A visual formalism for complex systems,”
Science of Computer Programming, no. 8, pp. 231–274, 1987.
shows that it is possible to achieve the goal of generat- [17] G. Milne, “Circal and the representation of communication, concur-
ing formal models from natural language and graphical rency and time,” in ACM Transactions on Programming Languages
requirements. It is important to note however, that a more and Systems. ACM, 1985, vol. 7, no. 2.
[18] A. J. Cowie, “The modelling of temporal properties in a process
thorough practicality analysis is still needed to assess the algebra framework,” Ph.D. dissertation, School of Computer and
level of effort required to adapt the tool to different projects Information Science, Faculty of Information Technology, University
and domains, and to do that a set of appropriate metrics of South Australia, 1999.
[19] E. R. Gansner and S. C. North, “An open graph visualization system
also needs to be defined. and its applications to software engineering,” in Software—Practice
We envisage that one possible extension to this frame- and Experience, September 2000, vol. 30, no. 11, pp. 1203–1233.
work could be the construction of a tool to re-express [20] R. G. Dromey, “From requirements to design: Formalizing the
key steps,” in SEFM 2003 – International Conference on Software
process algebra in natural language, to simplify the analysis Engineering and Formal Methods. The University of Queensland
of formal models produced by Borg. A comparison of – School of Information Technology and Electrical Engineering,
the original natural language requirements with the ones 2003, pp. 2–13.
3.7
AWRE’04 9th Australian Workshop on Requirements Engineering
TABLE I
Appendix
T UPLE TYPE DESCRIPTIONS
This section presents a more detailed view of the parse
Tuple type Description
trees generation and the modeller operation by showing DEPT A requirement that is composed of a
how requirement 7.4 is converted to Circal. relational operation (a condition) and
After processing a requirement, Cico produces a parse an operation that is the result of the
condition being satisfied.
tree representation in a T-model, as shown in Figure 8. RELOP In the example presented in this paper,
Nodes indicate tuple types, and leaves are terms used in RELOP is a relationship between a state
the requirement or specific commands introduced by Cico variable and a state description.
CONDRECEIPT A condition that becomes true when an
during the tree generation. Borg’s modellers use tuple types event occurs.
and terms to match and translate parts of the parse trees OPERATION A change in state.
into abstract models. Table I describes each one of the DOOP Indicates the execution of an operation
types used in this example. by an actor.
The modeller uses the following information to con-
struct the behavioural information in this case: DEPT
state.
Fig. 8. Parse tree generated by Cico from Requirement 7.4
The final generated process is depicted in Figure 9,
and as can be seen it is only part of the full behaviour OPEN command
shown previously in Figure 5. It is also the purpose of the
modellers to perform a second pass on the T-models to
SHUT OPEN
combine the various pieces of structural and behavioural
information into one complete abstract model. Fig. 9. Graphical representation of Circal process generated
from Requirement 7.4
c
Copyright
2004 Rubens Fernandes and Alex J. Cowie
The author(s) assign to AWRE and educational non-profit institutions a non-exclusive licence to use this document for personal use and in
courses of instruction provided that the article is used in full and this copyright statement is reproduced. The author(s) also grant a non-
exclusive licence to AWRE to publish this document on the AWRE web site (including any mirror or archival sites that may be developed)
and in printed form within the AWRE 2004 Proceedings. Any other usage is prohibited without the express permission of the author(s).
3.8